b'      DEPARTMENT OF HEALTH & HUMAN SERVICES                              Office of Inspector General\n\n                                                                         Washington, D.C. 20201\n\n\n\n\nNovember 3, 2009\n\nTO:            Charlene Frizzera\n               Acting Administrator\n               Centers for Medicare & Medicaid Services\n\n\nFROM:          /Daniel R. Levinson/\n               Inspector General\n\n\nSUBJECT:       Review of Medicare Contractor Information Security Program Evaluations for\n               Fiscal Year 2006 (A-18-07-30290)\n\n\nThe attached final report provides the results of our Medicare contractor information security\nprogram evaluations for fiscal year (FY) 2006. Our objectives were to (1) assess the scope and\nsufficiency of Medicare contractor information security program evaluations and data center\ntechnical assessments and (2) report the results of those evaluations and assessments.\n\nThe Medicare Prescription Drug, Improvement, and Modernization Act of 2003 added\ninformation security requirements for Medicare administrative contractors, fiscal intermediaries,\nand carriers to section 1874A of the Social Security Act (the Act) (42 U.S.C. \xc2\xa7 1395kk:-l).\nThese contractors process and pay Medicare fee-for-service claims. Pursuant to section\n1874A(e) of the Act, each Medicare contractor must have its information security program\nevaluated annually by an independent entity. Section 1874A(e) of the Act requires that these\nevaluations address the eight major requirements enumerated in the Federal Information Security\nManagement Act of 2002 (FISMA). (See 44 U.S.C. \xc2\xa7 3544(b).) To comply with this provision,\nthe Centers for Medicare & Medicaid Services (CMS) contracted with PricewaterhouseCoopers\nto evaluate information security programs at the Medicare administrative contractors, fiscal\nintermediaries, and carriers using a set of agreed-upon procedures.\n\nSection 1874A(e) of the Act also requires an evaluation of the information security controls for a\nsubset of systems but does not specify the criteria for these evaluations. To satisfy these\nrequirements, CMS developed an information security assessment methodology to test segments\nof the claims processing systems at Medicare data centers. Data centers operate the computer\nsystems that process and pay Medicare fee-for-service claims. CMS contracted with JANUS\nAssociates, Inc. (JANUS), to perform technical assessments at Medicare data centers using the\nassessment methodology.\n\nSection 1874A(e) of the Act further requires the Inspector General, Department of Health and\nHuman Services, to submit to Congress annual reports on the results of these evaluations, to\n\x0cPage 2 \xe2\x80\x93 Charlene Frizzera\n\n\ninclude assessments of their scope and sufficiency. This report fulfills that responsibility for\nFY 2006.\n\nPricewaterhouseCoopers reviews of the contractor information security program evaluations\nwere adequate in scope and sufficiency. We could not determine the extent and sufficiency of\nthe JANUS work for the data center technical assessments because of several issues with their\nworking papers. CMS\xe2\x80\x99s contract with JANUS provided for the planning, development, and\nimplementation of a comprehensive program to perform security testing of information controls\nat Medicare data centers.\n\nWe recommend that CMS review all contractor documentation related to future data center\ntechnical assessments and ensure that the work performed complies with CMS contractual\nrequirements. At a minimum, this should include a review of test plans to ensure that the\ncontractor has completed all required testing procedures and a review of contractor working\npapers to verify that reported gaps have been adequately supported, identified, and included in\nthe technical assessment reports.\n\nIn written comments to our draft report, CMS concurred with our recommendation.\n\nSection 8L of the Inspector General Act, 5 U.S. C. App., requires that the Office of Inspector\nGeneral (OIG) post its publicly available reports on the OIG Web site. Accordingly, this report\nwill be posted at http://oig.hhs.gov.\n\nPlease send your final management decision, including any action plans, as appropriate, within\n60 days. If you have any questions or comments about this report, please do not hesitate to call\nme, or your staff may contact Lori S. Pilcher, Assistant Inspector General for Grants, Internal\nActivities, and Information Technology Audits at (202) 619-1175 or through email at\nLori.Pilcher@oig.hhs.gov. Please refer to report number A-18-07-30290 in all correspondence.\n\n\nAttachment\n\x0cDepartment of Health and Human Services\n            OFFICE OF\n       INSPECTOR GENERAL\n\n\n\n\n      REVIEW OF MEDICARE\n    CONTRACTOR INFORMATION\n       SECURITY PROGRAM\n        EVALUATIONS FOR\n        FISCAL YEAR 2006\n\n\n\n\n                       Daniel R. Levinson\n                        Inspector General\n\n                        November 2009\n                        A-18-07-30290\n\x0c                        Office of Inspector General\n                                          http://oig.hhs.gov\n\n\n\nThe mission of the Office of Inspector General (OIG), as mandated by Public Law 95-452, as amended, is\nto protect the integrity of the Department of Health and Human Services (HHS) programs, as well as the\nhealth and welfare of beneficiaries served by those programs. This statutory mission is carried out\nthrough a nationwide network of audits, investigations, and inspections conducted by the following\noperating components:\n\nOffice of Audit Services\n\nThe Office of Audit Services (OAS) provides auditing services for HHS, either by conducting audits with\nits own audit resources or by overseeing audit work done by others. Audits examine the performance of\nHHS programs and/or its grantees and contractors in carrying out their respective responsibilities and are\nintended to provide independent assessments of HHS programs and operations. These assessments help\nreduce waste, abuse, and mismanagement and promote economy and efficiency throughout HHS.\n\nOffice of Evaluation and Inspections\nThe Office of Evaluation and Inspections (OEI) conducts national evaluations to provide HHS, Congress,\nand the public with timely, useful, and reliable information on significant issues. These evaluations focus\non preventing fraud, waste, or abuse and promoting economy, efficiency, and effectiveness of\ndepartmental programs. To promote impact, OEI reports also present practical recommendations for\nimproving program operations.\n\nOffice of Investigations\nThe Office of Investigations (OI) conducts criminal, civil, and administrative investigations of fraud and\nmisconduct related to HHS programs, operations, and beneficiaries. With investigators working in all 50\nStates and the District of Columbia, OI utilizes its resources by actively coordinating with the Department\nof Justice and other Federal, State, and local law enforcement authorities. The investigative efforts of OI\noften lead to criminal convictions, administrative sanctions, and/or civil monetary penalties.\n\nOffice of Counsel to the Inspector General\nThe Office of Counsel to the Inspector General (OCIG) provides general legal services to OIG, rendering\nadvice and opinions on HHS programs and operations and providing all legal support for OIG\xe2\x80\x99s internal\noperations. OCIG represents OIG in all civil and administrative fraud and abuse cases involving HHS\nprograms, including False Claims Act, program exclusion, and civil monetary penalty cases. In\nconnection with these cases, OCIG also negotiates and monitors corporate integrity agreements. OCIG\nrenders advisory opinions, issues compliance program guidance, publishes fraud alerts, and provides\nother guidance to the health care industry concerning the anti-kickback statute and other OIG enforcement\nauthorities.\n\x0c                         Notices\n\n\n    THIS REPORT IS AVAILABLE TO THE PUBLIC\n              at http://oig.hhs.gov\n\n Section 8L of the Inspector General Act, 5 U.S.C. App., requires\n that OIG post its publicly available reports on the OIG Web site.\n\nOFFICE OF AUDIT SERVICES FINDINGS AND OPINIONS\n\n The designation of financial or management practices as\n questionable, a recommendation for the disallowance of costs\n incurred or claimed, and any other conclusions and\n recommendations in this report represent the findings and\n opinions of OAS. Authorized officials of the HHS operating\n divisions will make final determination on these matters.\n\x0c                                  EXECUTIVE SUMMARY\n\nBACKGROUND\n\nThe Medicare Prescription Drug, Improvement, and Modernization Act of 2003 added\ninformation security requirements for Medicare administrative contractors (MAC), fiscal\nintermediaries, and carriers to the Social Security Act (the Act). These contractors process and\npay Medicare fee-for-service claims. Each Medicare contractor must have its information\nsecurity program evaluated annually by an independent entity, and these evaluations must\naddress the eight major requirements enumerated in the Federal Information Security\nManagement Act of 2002 (FISMA). To comply with this provision, the Centers for Medicare &\nMedicaid Services (CMS) contracted with PricewaterhouseCoopers (PwC) to evaluate\ninformation security programs at the MACs, fiscal intermediaries, and carriers using a set of\nagreed-upon procedures.\n\nThe Act also requires evaluations of the information security controls for a subset of systems but\ndoes not specify the criteria for these evaluations. To satisfy this requirement, CMS developed\nan information security assessment methodology to test segments of the claims processing\nsystems at Medicare data centers, which operate the computer systems that process and pay\nMedicare fee-for-service claims. CMS contracted with JANUS Associates, Inc. (JANUS), to\nperform technical assessments at Medicare data centers using the assessment methodology.\n\nThe Inspector General, Department of Health and Human Services, must submit to Congress\nannual reports on the results of these evaluations, to include assessments of their scope and\nsufficiency. This report fulfills that responsibility for fiscal year (FY) 2006.\n\nOBJECTIVES\n\nOur objectives were to (1) assess the scope and sufficiency of Medicare contractor information\nsecurity program evaluations and data center technical assessments and (2) report the results of\nthose evaluations and assessments.\n\nSUMMARY OF RESULTS\n\nPwC\xe2\x80\x99s reviews of the contractor information security program evaluations were adequate in\nscope and sufficiency. We could not determine the extent and sufficiency of the JANUS work\nfor the data center technical assessments because of several issues with its working papers. PwC\nreported a total of 110 gaps at 29 Medicare contractors. JANUS reported a total of 115 gaps at\n14 data centers.\n\nAssessment of Scope and Sufficiency\n\nPwC\xe2\x80\x99s reviews of the contractor information security program evaluations adequately\nencompassed in scope and sufficiency the eight FISMA requirements referenced in the Act.\n\n\n\n\n                                                 i\n\x0cWe could not determine the extent and sufficiency of the JANUS work for the data center\ntechnical assessments because of several issues with its working papers, such as insufficient\nevidence that all of the testing procedures had been performed, illegible handwriting and the lack\nof cross-references, and incomplete or undocumented elements. For one data center, JANUS did\nnot include a gap identified during testing in the data center\xe2\x80\x99s report.\n\nResults of Evaluations and Assessments\n\nThe results of the contractor information security program evaluations and data center technical\nassessments are presented in terms of gaps, which are defined as the differences between FISMA\nor CMS core security requirements and the contractors\xe2\x80\x99 implementation of those requirements.\n\nResults of Contractor Information Security Program Evaluations\n\nIn the 29 PwC evaluation reports for FY 2006, which covered all MACs, fiscal intermediaries,\nand carriers, PwC identified a total of 110 gaps. The number of gaps per contractor ranged from\n0 to 10 and averaged 4. The most gaps occurred in the following FISMA control areas: testing\nof information security controls (44 gaps at 20 contractors), policies and procedures to reduce\nrisk (22 gaps at 14 contractors), security program and system security plans (15 gaps at 13\ncontractors), and security awareness training (14 gaps at 10 contractors).\n\nThe number of gaps reported in the PwC FY 2006 evaluation reports increased by approximately\n20 percent when compared to the results for FY 2005, and the number of contractors with no\ngaps decreased by a third.\n\nResults of Data Center Technical Assessments\n\nThe 14 Medicare data center technical assessment reports prepared by JANUS identified a total\nof 115 gaps. The number of gaps reported per data center ranged from 0 to 30 and averaged 8.\nMost of the security gaps occurred in the following security control categories: access control\n(42 gaps at 6 data centers); configuration management (17 gaps at 4 data centers); media\nprotection (9 gaps at 6 data centers); and certification, accreditation, and security assessments (8\ngaps at 4 data centers).\n\nThe total number of gaps identified in FY 2006 (115) was 76 gaps more than the number\nidentified in FY 2005 (39). We did not perform a detailed comparison of the number of gaps\nidentified within each security control category for the 2 FYs because of the significant changes\nin the scope and assessment categories reviewed by JANUS in FY 2006.\n\nOf the 115 gaps JANUS identified at the 14 data centers, 21 gaps were resolved and closed\nduring or after JANUS\xe2\x80\x99s onsite visits to the data centers. Hence, there were a total of 94 open\ngaps at data centers requiring corrective action in FY 2006.\n\n\n\n\n                                                 ii\n\x0cRECOMMENDATION\n\nWe recommend that CMS review all contractor documentation related to future data center\ntechnical assessments and ensure that the work performed complies with CMS contractual\nrequirements. At a minimum, this should include a review of test plans to ensure that the\ncontractor has completed all required testing procedures and a review of contractor working\npapers to verify that reported gaps have been adequately supported, identified, and included in\nthe technical assessment reports.\n\nCENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS\n\nIn written comments to our draft report, CMS concurred with our recommendation. CMS also\nstated that they have taken the appropriate actions to address the identified issues. We have\nincluded CMS\xe2\x80\x99s comments in their entirety in Appendix G.\n\n\n\n\n                                                iii\n\x0c                                                  TABLE OF CONTENTS\n\n\n                                                                                                                            Page\n\nINTRODUCTION............................................................................................................. 1\n\n          BACKGROUND .....................................................................................................1\n              The Medicare Program ................................................................................. 1\n              Medicare Prescription Drug, Improvement, and\n               Modernization Act of 2003........................................................................ 1\n              Centers for Medicare & Medicaid Services Evaluation Process\n               for Fiscal Year 2006................................................................................... 2\n\n          OBJECTIVES, SCOPE, AND METHODOLOGY.................................................3\n              Objectives ..................................................................................................... 3\n              Scope............................................................................................................. 3\n              Methodology ................................................................................................. 3\n\nRESULTS OF REVIEW .................................................................................................. 4\n\n          ASSESSMENT OF SCOPE AND SUFFICIENCY ................................................4\n\n          RESULTS OF CONTRACTOR INFORMATION SECURITY PROGRAM\n          EVALUATIONS .....................................................................................................4\n              Testing of Information Security Controls ..................................................... 6\n              Policies and Procedures To Reduce Risk...................................................... 7\n              Security Programs and System Security Plans ............................................. 7\n              Security Awareness Training........................................................................ 8\n\n          RESULTS OF DATA CENTER TECHNICAL ASSESSMENTS .........................9\n              Access Control ............................................................................................ 12\n              Identification and Authentication ............................................................... 13\n              Configuration Management ........................................................................ 13\n              Maintenance................................................................................................ 13\n              Media Protection......................................................................................... 13\n              Awareness and Training ............................................................................. 14\n\n          CONCLUSION......................................................................................................14\n\n          RECOMMENDATION .........................................................................................14\n\n          CENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS ..........14\n\nAPPENDIXES\n\n        A \xe2\x80\x93 ASSESSMENT OF SCOPE AND SUFFICIENCY FOR THE JANUS DATA\n           CENTER ASSESSMENTS\n\n\n                                                                    iv\n\x0cB \xe2\x80\x93 LIST OF GAPS BY FEDERAL INFORMATION SECURITY MANAGEMENT\n   ACT OF 2002 CONTROL AREA AND MEDICARE CONTRACTOR\n\nC \xe2\x80\x93 PERCENTAGE CHANGE IN GAPS PER MEDICARE CONTRACTOR\n\nD \xe2\x80\x93 MEDICARE CONTRACTOR CHANGE IN TOTAL GAPS BY FEDERAL\n   INFORMATION SECURITY MANAGEMENT ACT OF 2002 CONTROL AREA\n\nE \xe2\x80\x93 RESULTS OF MEDICARE CONTRACTOR EVALUATIONS FOR FEDERAL\n    INFORMATION SECURITY MANAGEMENT ACT OF 2002 CONTROL AREAS\n    WITH THE GREATEST NUMBER OF GAPS\n\nF \xe2\x80\x93 LIST OF GAPS BY NATIONAL INSTITUTE OF STANDARDS AND\n    TECHNOLOGY SECURITY CONTROL AREA AND DATA CENTER\n\nG \xe2\x80\x93 CENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS\n\n\n\n\n                             v\n\x0c                                             INTRODUCTION\n\n\nBACKGROUND\n\nThe Medicare Program\n\nThe Centers for Medicare & Medicaid Services (CMS) administers the Medicare program.\nMedicare is a health insurance program for people age 65 or older, people under age 65 with\ncertain disabilities, and people of all ages with end-stage renal disease. In fiscal year (FY) 2006,\nMedicare paid more than $337 billion on behalf of over 43 million program beneficiaries. CMS\ncontracts with Medicare Administrative Contractors (MAC), fiscal intermediaries, and carriers to\nadminister Medicare benefits paid on a fee-for-service basis. Many MACs, fiscal intermediaries,\nand carriers operate in-house data centers to process and pay Medicare claims, while others\nsubcontract with external data centers for this purpose.\n\nIn FY 2006, 29 distinct corporate entities served as fiscal intermediaries, carriers, or both. Two\nof these entities also served as Durable Medical Equipment MACs. Nine of the twenty-nine\nentities also operated Medicare data centers, and five external entities operated the remaining\nfive data centers. Thus, 34 distinct entities processed and paid Medicare fee-for-service claims.\n\nMedicare Prescription Drug, Improvement, and Modernization Act of 2003\n\nThe Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA) added\ninformation security requirements for MACs, fiscal intermediaries, and carriers to section 1874A\nof the Social Security Act (the Act). 1 (See 42 U.S.C. \xc2\xa7 1395kk-1.) Pursuant to section\n1874A(e)(1) of the Act, each MAC, fiscal intermediary, and carrier must have its information\nsecurity program evaluated annually by an independent entity. This section requires that these\nevaluations address the eight major requirements enumerated in the Federal Information Security\nManagement Act of 2002 (FISMA). (See 44 U.S.C. \xc2\xa7 3544(b).) These requirements, referred to\nas \xe2\x80\x9cFISMA control areas\xe2\x80\x9d in this report, are:\n\n        1. periodic risk assessments,\n        2. policies and procedures to reduce risk,\n        3. security program and system security plans,\n        4. security awareness training,\n        5. testing of information security controls,\n        6. remedial actions,\n        7. incident response, and\n        8. continuity-of-operations planning.\n\nSection 1874A(e)(2)(A)(ii) of the Act requires that the effectiveness of information security\ncontrols be tested for an appropriate subset of Medicare contractors\xe2\x80\x99 information systems.\n\n1\n The MMA contracting reform provisions added to section 1874A of the Act replace existing fiscal intermediaries\nand carriers with MACs, who are to be competitively selected. Until such time as the new MACs are in place, the\nrequirements of section 1874A apply to fiscal intermediaries and carriers.\n\n\n                                                        1\n\x0cHowever, this section does not specify the criteria for evaluating these security controls. CMS\nand its information technology (IT) security assessment provider, JANUS Associates, Inc.,\n(JANUS), developed an information security assessment methodology to comply with this\nprovision.\n\nAdditionally, section 1874A(e)(2)(C)(ii) of the Act requires the Inspector General of the\nDepartment of Health and Human Services to submit to Congress annual reports on the results of\nsuch evaluations, including assessments of their scope and sufficiency. This report fulfills that\nresponsibility for FY 2006.\n\nCenters for Medicare & Medicaid Services Evaluation Process for Fiscal Year 2006\n\nCMS developed agreed-upon procedures (AUP) for the program evaluation based on the\nrequirements of Section 1874A(e)(1) of the Act, FISMA, information security policy and\nguidance from the Office of Management and Budget and the National Institute of Standards and\nTechnology (NIST), and the Government Accountability Office\xe2\x80\x99s (GAO) \xe2\x80\x9cFederal Information\nSystems Controls Audit Manual\xe2\x80\x9d (FISCAM). The independent auditors,\nPricewaterhouseCoopers (PwC), under contract with CMS, used the AUPs to evaluate the\ninformation security programs at the 29 MACs, fiscal intermediaries, and carriers. The AUPs\nare the same as those used in FY 2005. PwC performed the evaluations and issued separate\nreports for the 29 MACs, fiscal intermediaries, and carriers.\n\nTo comply with the section 1874A(e)(2)(A)(ii) requirement to test the effectiveness of\ninformation security controls for an appropriate subset of contractors\xe2\x80\x99 information systems, CMS\ncontracted with JANUS to plan, develop, and implement a comprehensive program to perform\ntesting of information security controls at 14 Medicare data centers. JANUS performed the\nassessments and issued separate reports for each of the 14 Medicare data centers.\n\nTable 1 summarizes the change in the number of Medicare contractors and data centers. In\nFY 2005, there were 32 Medicare contractors and 14 Medicare data centers. Changes during\nFY 2006 resulted in the testing of 29 Medicare contractors and 14 Medicare data centers.\n\n       Table 1: Change in the Number of Medicare Contractors and Data Centers\n                                                              Medicare       Medicare\n                                                             Contractors Data Centers\nEnding Balance, FY 2005                                           32           14\nLess: Entities that left the Medicare program during FY 2006       5            1\nAdd: Durable Medical Equipment MACs                                2\nAdd: Enterprise data centers 2                                                  1\nBeginning Balance, FY 2006                                        29           14\n\n\n\n\n2\n As part of CMS\xe2\x80\x99s data center consolidation initiative, enterprise data centers are being used to process Medicare\nfee-for-service claims. Eventually all CMS data center operations will transition from the 14 legacy data centers to\nat most three enterprise data centers.\n\n                                                          2\n\x0cOBJECTIVES, SCOPE, AND METHODOLOGY\n\nObjectives\n\nOur objectives were to (1) assess the scope and sufficiency of Medicare contractor information\nsecurity program evaluations and data center technical assessments and (2) report the results of\nthose evaluations and assessments.\n\nScope\n\nWe evaluated the FY 2006 results of the independent evaluations and technical assessments of\nMedicare contractors\xe2\x80\x99 information security programs. Our review did not include an evaluation\nof internal controls. We performed our reviews of PwC and JANUS working papers at CMS\nheadquarters in Baltimore, Maryland, and at Office of Inspector General regional offices.\n\nMethodology\n\nTo accomplish our objectives, we performed the following steps:\n\n        \xef\x82\xb7   To assess the scope of the evaluations of contractor information security programs,\n            we determined whether the AUPs included the eight FISMA control requirements.\n\n        \xef\x82\xb7   To assess the scope of the data center technical assessments, we reviewed the contract\n            and statement of work between CMS and JANUS and verified that JANUS performed\n            the work that CMS had specified.\n\n        \xef\x82\xb7   To assess the sufficiency of the evaluations of contractor information security\n            programs, we reviewed PwC working papers supporting the evaluation reports to\n            determine whether they conducted the AUPs listed in the reports. We also\n            determined whether PwC conducted the evaluations in accordance with attestation\n            engagement standards established by the American Institute of Certified Public\n            Accountants and in accordance with Government Auditing Standards. In addition, we\n            determined whether the evaluation reports encompassed the eight FISMA control\n            areas enumerated in section 1874A(e)(1) of the Act.\n\n        \xef\x82\xb7   To assess the sufficiency of the data center technical assessments, we reviewed\n            supporting working papers to verify that JANUS completed all test procedures,\n            reported all medium- and high-risk gaps, and adequately supported all reported results\n            with sufficient and appropriate evidence.\n\n        \xef\x82\xb7   To report on the results of the JANUS evaluations and technical assessments, we\n            aggregated the results contained in the individual contractor evaluation reports and\n            data center technical assessment reports. For the PwC evaluations, we used the\n            number of gaps listed in the individual contractor evaluation reports to aggregate the\n            results. In some instances, several gaps were noted under FISMA control\n            subcategories. This was different from prior years, when PwC noted only one gap per\n\n                                                3\n\x0c           subcategory per contractor. We counted duplicate gaps listed in a FISMA control\n           area only once. For the JANUS assessments, we used the business risks listed in the\n           individual technical assessment reports to aggregate the results.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards, except that we did not obtain comments from JANUS or PwC. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit objectives. We\nbelieve that the evidence obtained provides a reasonable basis for our findings and conclusions\nbased on our audit objectives.\n\n                                    RESULTS OF REVIEW\n\nPwC\xe2\x80\x99s reviews of the contractor information security program evaluations were adequate in\nscope and sufficiency. We could not determine the extent and sufficiency of the JANUS work\nfor the data center technical assessments because of several issues with its working papers. PwC\nreported a total of 110 gaps at 29 Medicare contractors. Janus reported a total of 115 gaps at 14\ndata centers.\n\nASSESSMENT OF SCOPE AND SUFFICIENCY\n\nPwC\xe2\x80\x99s reviews of the contractor information security program evaluations adequately\nencompassed in scope and sufficiency the eight FISMA requirements referenced in section\n1874A(e)(1) of the Act.\n\nWe could not determine the extent and sufficiency of the JANUS work for the data center\ntechnical assessments because of several issues with its working papers. CMS\xe2\x80\x99s contract with\nJANUS provided for the planning, development, and implementation of a comprehensive\nprogram to perform testing of information security controls at Medicare data centers.\n\nThe test plan documentation supplied by JANUS for 11 of the 14 data centers (78 percent) did\nnot contain sufficient evidence that all of the testing procedures had been performed. For the test\nplans provided, JANUS did not always indicate whether it actually completed each testing\nprocedure. Additionally, for 8 of the 14 data centers (57 percent), we were unable to trace all\ngaps presented in JANUS\xe2\x80\x99 reports to supporting evidence because of illegible handwriting and\nthe lack of cross-references in the test scripts. Lastly, for 7 of the 14 data centers (50 percent),\nwe were not able to determine whether JANUS included all medium- and high-risk gaps in the\nrespective data center reports because of incomplete or undocumented elements in the JANUS\nworking papers. For one data center, JANUS did not include a gap identified during testing in\nthe data center\xe2\x80\x99s report. (See Appendix A for our analysis of the JANUS data center\nassessments.)\n\nRESULTS OF MEDICARE CONTRACTOR INFORMATION SECURITY PROGRAM\nEVALUATIONS\n\nWe present the results of the Medicare contractor information security program evaluations in\nterms of gaps, which are defined as the differences between FISMA or CMS core security\n\n                                                 4\n\x0crequirements and the contractors\xe2\x80\x99 implementation of those requirements.\n\nThe 29 evaluation reports identified a total of 110 gaps. The average number of gaps per\ncontractor was four. As shown in Table 2, the number of gaps per contractor ranged from 0 to\n10 for FY 2006. (See Appendix B for list of gaps per control area by contractor.)\n\n                       Table 2: Range of Medicare Contractor Gaps\n                                      Number of Contractors With\n                       Total                      2\xe2\x80\x935      6\xe2\x80\x939    10+\n               FY      Gaps 0 Gaps 1 Gap         Gaps     Gaps    Gaps\n              2005       92       9       7         8       7      1\n              2006      110       6       3        12       7      1\n\nThe number of gaps reported in the PwC FY 2006 evaluation reports increased by approximately\n20 percent when compared to the results for FY 2005, and the number of contractors with no\ngaps decreased by a third. (See Appendix C for the FYs 2005\xe2\x80\x932006 percentage change in gaps\nper Medicare contractor.)\n\nTable 3 summarizes the gaps found in each FISMA control area in FY 2005 and FY 2006. The\ntwo FISMA control areas experiencing a change of over 100 percent were: (1) testing of\ninformation security controls and (2) policies and procedures to reduce risk. The three FISMA\ncontrol areas that changed between 50 percent and 100 percent were: (1) periodic risk\nassessments, (2) incident response, and (3) continuity of operations planning. (Appendix D\nsummarizes the changes in a graph.)\n\n      Table 3: Gaps by Federal Information Security Management Act Control Area\n                                                                          No. of\n                                                                      Contractors\n                                      Impact Levels     No. of Gaps   with One or\n                                        of FISMA         Identified   More Gap(s)\n                FISMA                 Control Area      FY       FY    FY        FY\n             Control Area             Subcategories    2005     2006  2005     2006\n Periodic risk assessments            High/Medium       6         2     5       2\n Policies and procedures to reduce\n                                      High/Medium       9       22      7      14\n risk\n Security program and system\n                                      High/Medium      16       15     14      13\n security plans\n Security awareness training          High/Medium      10       14      7      10\n Testing of information security\n                                      High/Medium      21       44     14      20\n controls\n Remedial actions                        Medium         3         2     2       2\n Incident response                         High         6         3     5       3\n Continuity-of-operations planning         High        21         8    12       7\n   Total                                               92      110\n\n\n\n                                              5\n\x0cThe Medicare contractor information security program evaluations assessed several\nsubcategories within each FISMA control area. The \xe2\x80\x9cimpact level\xe2\x80\x9d shown in Table 3 refers to\nthe possible level of adverse impact that could result from successful exploitation of gaps in any\nof the FISMA controls area subcategories depending on the organization\xe2\x80\x99s mission and criticality\nand the sensitivity of the systems and data involved. CMS and independent auditors developed\nratings of high, medium, or low impact for the subcategories of the FISMA control areas. The\nactual ratings assigned to the subcategories were all high or medium impact and were PwC\xe2\x80\x99s\nassessment. It is important to note that the impact levels were assigned to subcategories of the\nFISMA control areas, not to individual gaps identified within the control areas or subcategories.\nIndividual gaps were assigned an overall risk level on a subjective basis by PwC after taking into\nconsideration the impact and likelihood of occurrence. However, as stated in NIST Special\nPublication (SP) 800-115, \xe2\x80\x9cTechnical Guide to Information Security Testing and Assessment,\xe2\x80\x9d it\nis difficult to identify the risk level of individual vulnerabilities because they rarely exist in\nisolation.\n\nThe following sections discuss the four FISMA control areas containing the most gaps. (See\nAppendix E for descriptions of each subcategory tested.)\n\nTesting of Information Security Controls\n\nAccording to NIST SP 800-53, \xe2\x80\x9cRecommended Security Controls for Federal Information\nSystems,\xe2\x80\x9d the effectiveness of information security policies, procedures, practices, and controls\nshould be tested and evaluated at least annually (or more often depending on risk). NIST\nSP 800-115 notes that security testing allows organizations to measure levels of compliance in\nareas such as patch management, password policy, and configuration management. According to\nGAO\xe2\x80\x99s FISCAM, changes to an application should be tested and approved before being put into\nproduction.\n\nNine of the twenty-nine Medicare contractors had no identified gaps in the testing of information\nsecurity controls, while the remaining 20 had one to six gaps each. In total, 44 gaps were\nidentified in this area, with 42 gaps assigned to high-impact subcategories.\n\nFollowing are examples of these gaps:\n\n   \xef\x82\xb7   A penetration assessment was not performed within the previous 12 months.\n\n   \xef\x82\xb7   An annual review or audit was not performed of platform configuration standards and\n       patch management controls.\n\n   \xef\x82\xb7   Procedures for making changes to supplemental claims processing software did not\n       include testing and approval of changes before the changes were put into production.\n\nWithout a comprehensive program for periodically testing and monitoring of information\nsecurity controls, management has no assurance that appropriate safeguards are in place to\nadequately mitigate identified risks.\n\n\n                                                6\n\x0cPolicies and Procedures To Reduce Risk\n\nAccording to NIST SP 800-30, \xe2\x80\x9cRisk Management Guide for Information Technology Systems,\xe2\x80\x9d\nrisk management is the process of identifying and assessing risk and taking steps to reduce risk\nto an acceptable level. NIST SP 800-53 requires organizations to establish mandatory security\nconfiguration settings for information technology products, enforce the configuration settings in\nall components of the information system, and promptly install newly released security relevant\npatches and service packs.\n\nFifteen of the twenty-nine Medicare contractors had no identified gaps in policies and procedures\nto reduce risk, while the remaining 14 had one to three gaps each. In total, 22 gaps were\nidentified in this area. Nine gaps were assigned to high-impact subcategories. Following are\nexamples of gaps in policies and procedures to reduce risk:\n\n   \xef\x82\xb7   Router configuration standards were not sufficient to adequately reduce the risk of\n       unauthorized access to sensitive CMS information.\n\n   \xef\x82\xb7   Weaknesses were identified in the configuration standards for firewalls, Windows\n       servers, and internal network security controls. The standards were not adequate to\n       reduce the risk of unauthorized access to sensitive CMS information.\n\n   \xef\x82\xb7   The contractor had not developed detailed procedures for UNIX patch management and\n       Windows security configurations.\n\nIneffective policies and procedures to reduce risk could jeopardize an organization\xe2\x80\x99s ability to\nperform its mission, as well as safeguard its information and IT assets. Without adequate\nconfiguration standards and the latest security patches, systems may be susceptible to\nexploitation that could lead to unauthorized disclosure, modification, or non-availability of data.\n\nSecurity Program and System Security Plans\n\nNIST SP 800-100, \xe2\x80\x9cInformation Security Handbook: A Guide for Managers,\xe2\x80\x9d states that\nagencies should ensure their information security policy is sufficiently current to accommodate\nthe information security environment and the agency mission and operational requirements.\nFederal Information Processing Standards (FIPS) 200, \xe2\x80\x9cMinimum Security Requirements for\nFederal Information and Information Systems\xe2\x80\x9d and NIST SP 800-53 require organizations to\nscreen employees before granting access to information and information systems.\n\nNIST SP 800-18, \xe2\x80\x9cGuide for Developing Security Plans for Federal Information Systems,\xe2\x80\x9d states\nthat system security plans should provide an overview of a system\xe2\x80\x99s security requirements and\ndescribe the controls in place or planned for meeting those requirements.\n\nSixteen of the twenty-nine Medicare contractors had no identified gaps in security programs and\nsystem security plans, while the remaining 13 had one to two gaps each. In total, 15 gaps were\nidentified in this area. Eight gaps were assigned to high-impact subcategories.\n\n\n                                                 7\n\x0cFollowing are examples of gaps in security programs and system security plans:\n\n   \xef\x82\xb7   The contractor did not review security policies and procedures within the previous 12\n       months.\n\n   \xef\x82\xb7   The contractor did not complete background investigations for all selected employees\n       before they received system access.\n\n   \xef\x82\xb7   The contractor did not maintain evidence that implemented corrective action plans had\n       been tested.\n\nIf information security program requirements are not implemented and enforced, management\nhas no assurance that established system security controls will be effective in protecting valuable\nassets, such as information, hardware, software, systems, and related technology assets that\nsupport the organization\xe2\x80\x99s critical missions.\n\nSecurity Awareness Training\n\nThe Computer Security Act of 1987 (P.L. No. 100-235) requires periodic training in computer\nsecurity awareness and accepted computer practices for all employees who manage, use, or\noperate Federal computer systems. Additionally, Federal regulations (5 C.F.R. \xc2\xa7 930.301(a))\nrequire that role-specific training be provided based on each user\xe2\x80\x99s security responsibilities.\nFIPS 200, \xe2\x80\x9cMinimum Security Requirements for Federal Information and Information Systems,\xe2\x80\x9d\nand NIST SP 800-53 require organizations to provide security awareness training to all\ninformation system users at least annually. Additionally, Federal regulations (5 C.F.R.\n\xc2\xa7 930.301(a)) require agencies to provide training for employees with significant information\nsecurity responsibilities, and the CMS \xe2\x80\x9cBusiness Partners Systems Security Manual\xe2\x80\x9d requires\nMedicare contractors to document and monitor information security training activities.\n\nNineteen of the twenty-nine Medicare contractors had no identified gaps in security awareness\ntraining, while the remaining 10 had one to three gaps each. In total, 14 gaps were identified in\nthis area. One gap was assigned to a high-impact subcategory.\n\nFollowing are examples of security awareness training gaps:\n\n   \xef\x82\xb7   Security training and professional development for employees with significant security\n       responsibilities had not been documented or formally monitored.\n\n   \xef\x82\xb7   Employees did not complete security refresher training within 1 year.\n\nEmployees who are unaware of their security responsibilities or have not received adequate\ntraining may be at increased risk of causing or exacerbating a computer security incident. If\nsecurity personnel are not provided specific job-related training, management has no assurance\nthat these employees can effectively perform their job responsibilities. Inadequately trained\nemployees could cause the loss, destruction, or misuse of sensitive information and IT assets.\n\n\n                                                 8\n\x0cRESULTS OF DATA CENTER TECHNICAL ASSESSMENTS\n\nWe present the results of the data center technical assessments in terms of gaps, which are\ndefined as the differences between FISMA or CMS core security requirements and the\ncontractors\xe2\x80\x99 implementation of those requirements. The 14 Medicare data center technical\nassessment reports identified a total of 115 gaps. The average number of gaps per data center\nwas eight. As shown in Table 4, the number of gaps per data center ranged from 0 to 30.\n\n                               Table 4: Range of Data Center Gaps\n                                         Number of Data Centers With:\n                          Total              1\xe2\x80\x935      6\xe2\x80\x9310    11\xe2\x80\x9320 21\xe2\x80\x9330\n                FY        Gaps 0 Gaps Gaps            Gaps    Gaps    Gaps\n               2005         39        1       12       1        0      0\n               2006        115        1        6        3       3      1\n\nFor FY 2006, CMS contracted with JANUS to evaluate NIST security controls at the 14 data\ncenters. Overall, the FY 2006 testing addressed the following 12 NIST security control areas:\n\n   \xef\x82\xb7   access control                                   \xef\x82\xb7   system and services acquisition\n\n   \xef\x82\xb7   media protection                                 \xef\x82\xb7   personnel security\n\n   \xef\x82\xb7   certification, accreditation, and security       \xef\x82\xb7   incident response\n       assessments\n                                                        \xef\x82\xb7   e-authentication\n   \xef\x82\xb7   awareness and training\n                                                        \xef\x82\xb7   physical and environmental protection\n   \xef\x82\xb7   maintenance\n                                                        \xef\x82\xb7   system and communications protection\n   \xef\x82\xb7   identification and authentication\n\nAt eight data centers, JANUS conducted testing, which was limited to a policy and procedure\nreview only, in six of the above security control areas. At five data centers, JANUS tested all\ntwelve of the above NIST security control areas, in addition to a penetration test of mainframe\nand distributed systems. During the course of its assessments, JANUS also identified gaps at\nsome data centers in three additional security control areas (i.e., configuration management,\nsystem and information integrity, and audit and accountability).\n\nAt the enterprise data center, JANUS tested 18 NIST security control areas, in addition to a\npenetration test of mainframe and distributed systems. The security controls tested were the 12\nlisted above plus system and information integrity, configuration management, audit and\naccountability, contingency planning, security planning, and risk assessment.\n\nJANUS assigned each of the gaps to one of the 18 security control areas. Like PwC, JANUS\ncategorized the risks associated with the individual gaps as high, medium, or low based on the\npotential impact and likelihood of exploitation. Of the 115 gaps JANUS identified across all 14\n\n                                                    9\n\x0cdata centers, 14 gaps were high risk, 37 gaps were medium risk, and 64 gaps were low risk.\nTwenty-one gaps were resolved and closed during or after JANUS\xe2\x80\x99s onsite visits to the data\ncenters, including 2 high-risk gaps, 6 medium-risk gaps, and 13 low-risk gaps. Hence, there\nwere a total of 94 open gaps at data centers requiring corrective action in FY 2006.\n\nThe total number of gaps identified in FY 2006 (115) was significantly higher than the number\nidentified in FY 2005 (39), an increase of 76 gaps. We did not perform a detailed comparison of\nthe number of gaps identified within each security control category for the 2 FYs because of the\nsignificant changes in the scope and assessment categories reviewed by JANUS in FY 2006.\nThe FY 2005 data center assessments were limited to a policy and procedure review of six\ncontrol areas and did not involve technical security testing of data center networks and systems\nas did the assessments in FY 2006.\n\nTable 5 on the next page presents the aggregate results reported for the 14 data centers, including\nthe number of data centers with high-risk gaps. Appendix F shows the number of reported gaps\nat each data center by security control area.\n\n\n\n\n                                                10\n\x0c                           Table 5: Data Center Reported Gaps by\n           National Institute of Standards and Technology Security Control Area\n                            No. of      No. of                     No. of\n                            Data        Data          Total No.    High-      No. of  No. of\n    Security Control       Centers     Centers         of Gaps     Risk     Medium- Low-Risk\n         Area              Tested      w/ Gaps        Identified   Gaps     Risk Gaps Gaps\n Access control               6            6             42         11          12         19\n Configuration\n                              6            4             17          3          12           2\n management\n Media protection            14            6              9          0            2          7\n Certification,\n accreditation, and          14            4              8          0            1          7\n security assessments\n Awareness and training      14            5              7          0            0          7\n Maintenance                 14            7              7          0            2          5\n Identification and\n                              6            5              7          0            1          6\n authentication\n System and information\n                              6            2              6          0            6          0\n integrity\n System and services\n                             14            3              4          0            0          4\n acquisition\n Audit and\n                              6            1              2          0            1          1\n accountability\n Personnel security           6            2              2          0            0          2\n Incident response           14            1              1          0            0          1\n E-authentication             6            1              1          0            0          1\n Physical and\n environmental                6            1              1          0            0          1\n protection\n System and\n communications               6            1              1          0            0          1\n protection\n   Total                                               115          14          37         64\n\nNote: JANUS reported no gaps in the following NIST security control areas: contingency\nplanning, security planning, and risk assessment.\n\nNoteworthy from the results in the JANUS reports is that 10 of the 14 high-risk gaps (71 percent)\nwere identified at one of the 14 data centers. In addition, the 30 gaps reported at this data center\n\n\n                                                 11\n\x0cmade up 26 percent of all identified gaps, and 26 of the 37 medium-risk gaps (70 percent) were\nidentified at three data centers.\n\nFigure 1 uses the data from Table 5 to show the percentages of data centers with gaps (per NIST\nsecurity control area) in relation to the number of data centers tested. Gaps were identified at\nmore than one-third of data centers tested in the following NIST security control areas: access\ncontrol, identification and authentication, configuration management, maintenance, media\nprotection, and awareness and training.\n\n          Figure 1: Percentage of Tested Data Centers to Data Centers with Gaps,\n              by National Institute of Standards and Technology Control Area\n                                             ic\n                                               at\n                                                 io\n                                                   n\n                        l\n                      tro\n\n\n\n\n                                           nt\n                                         he\n                    on\n\n\n\n\n                                       ut\n                   C\n\n\n\n\n                                      A\n                   s\n                 es\n\n\n\n\n                                                       t\n                                     d\n\n\n\n\n                                                     en\n                                   an\n               cc\n\n\n\n\n                                                   em\n              A\n\n\n\n\n                                  n\n                                io\n\n\n\n\n                                                 ag\n\n\n\n\n       100%\n                              at\n\n\n\n\n                                               an\n                            ic\n\n\n\n\n                                              M\n                           tif\n                         en\n\n\n\n\n       90%\n                                           n\n                                         io\n                       Id\n\n\n\n\n                                                                                                                                         ity\n                                         at\n\n\n\n\n                                                                                                                                       gr\n                                       ur\n\n\n\n\n       80%                                                                                                                           te\n                                    fig\n\n\n\n\n                                                                                                                                     n\n                                                                                                                                   In\n\n\n\n\n                                                                                                                                  io\n                                  on\n\n\n\n\n                                                                                                                                   s\n\n\n\n\n                                                                                                                                  n\n\n\n\n\n                                                                                                                                  n\n                                                                                                                                ng\n\n\n\n\n                                                                                                                                nt\n                                                                    n\n\n\n\n\n                                                                                                                                ct\n                                                                                                                                n\n                                                     ce\n\n\n\n\n                                                                                                                              tio\n\n\n\n\n                                                                                                                               io\n                                 C\n\n\n\n\n                                                                  io\n\n\n\n\n                                                                                                                             io\n\n\n       70%\n                                                                                                                             e\n\n\n\n\n                                                                                                                            te\n                                                                                                                            ni\n\n\n\n\n                                                                                                                            ct\n                                                   an\n\n\n\n\n                                                                                                                           si\n                                                                                                                         sm\n                                                                ct\n\n\n\n\n                                                                                                                          at\n                                                                                                                          ai\n\n\n\n\n                                                                                                                         ro\n                                                                                                                         te\n                                                                                                                         ui\n                                                              te\n\n\n\n\n                                                                                                                       ity\n\n\n                                                                                                                      rm\n                                                 en\n\n\n\n\n                                                                                                                       Tr\n\n\n\n\n                                                                                                                       P\n                                                                                                                     es\n\n\n\n\n                                                                                                                      ro\n                                                                                                                     cq\n                                                            ro\n\n\n\n\n                                                                                                                    ur\n\n\n                                                                                                                   fo\n                                                 nt\n\n\n\n\n                                                                                                                  ns\n       60%\n\n\n\n\n                                                                                                                  lP\n                                                                                                                   &\n\n\n\n\n                                                                                                                    s\n\n\n\n\n                                                                                                                   A\n                                                           P\n\n\n\n\n                                                                                                                 ec\n\n\n\n\n                                                                                                                As\n                                                                                                                 In\n                                               ai\n\n\n\n\n                                                                         s\n\n\n\n\n                                                                                                               tio\n                                                                                                              ity\n                                                                                                             es\n\n\n\n\n                                                                                                               ta\n                                                          ia\n                                              M\n\n\n\n\n                                                                       es\n\n\n\n\n                                                                                                             S\n\n\n\n                                                                                                             d\n\n\n\n\n                                                                                                          en\n                                                        ed\n\n\n\n\n                                                                                                          ity\n\n\n\n\n                                                                                                            a\n                                                                                                             l\n                                                                                                           ic\n\n\n\n\n                                                                                                          bi\n                                                                                                         an\n                                                                     en\n\n\n\n\n                                                                                                          el\n\n\n\n\n                                                                                                         ic\n       50%\n                                                                                                        rv\n\n\n\n\n                                                                                                       nm\n                                                                                                        ta\n                                                       M\n\n\n\n\n                                                                                                        ur\n                                                                                                       nn\n\n\n\n\n                                                                                                       un\n                                                                  ar\n\n\n\n\n                                                                                                      m\n\n\n\n\n                                                                                                       e\n\n\n\n                                                                                                     un\n                                                                                                     ec\n\n\n\n\n                                                                                                     S\n                                                                                                   so\n\n\n\n\n                                                                                                     m\n                                                                                                     n\n\n\n\n                                                                                                   iro\n                                                                 w\n\n\n\n\n                                                                                                    te\n\n\n\n\n                                                                                                 tio\n                                                                                                 co\n                                                                                                ,S\n\n\n\n\n                                                                                                  d\n\n\n\n\n                                                                                                 m\n                                                                A\n\n\n\n\n       40%\n                                                                                                ys\n                                                                                                er\n\n\n\n\n                                                                                               nv\n                                                                                              an\n\n\n\n\n                                                                                                e\n                                                                                               a\n\n\n\n\n                                                                                               o\n                                                                                              Ac\n                                                                                              A\n                                                                                              P\n\n\n\n\n                                                                                             ns\n                                                                                              S\n\n\n\n\n                                                                                             ic\n\n\n\n                                                                                             E\n\n\n\n                                                                                             C\n                                                                                            &\n\n\n\n                                                                                            m\n\n\n\n\n                                                                                           nt\n\n\n\n\n                                                                                          po\n                                                                                           d\n\n\n\n\n                                                                                          l&\n                                                                                           C\n\n\n\n\n                                                                                           &\n                                                                                        an\n                                                                                         te\n\n\n\n\n       30%                                                                              he\n\n\n\n\n                                                                                        m\n\n\n\n                                                                                      es\n                                                                                      ca\n                                                                                      ys\n\n\n\n\n                                                                                     ut\n\n\n\n\n                                                                                    te\n                                                                                     it\n\n\n\n\n                                                                                   R\n                                                                                   si\n                                                                                   S\n\n\n\n                                                                                 ud\n\n\n\n                                                                                 -a\n\n\n\n\n                                                                                ys\n                                                                               hy\n\n\n\n\n                                                                                nt\n                                                                               E\n                                                                               A\n\n\n\n\n       20%\n\n\n\n                                                                              S\n\n\n\n                                                                             de\n                                                                              P\n\n\n\n\n                                                                           ci\n                                                                         In\n       10%\n\n        0%\n\n\n\n\nThe following sections discuss the six security control areas for which more than one-third of\ntested data centers had gaps.\n\nAccess Control\n\nAccording to GAO\xe2\x80\x99s FISCAM, inadequate access controls diminish the reliability of\ncomputerized data and increase the risk of destruction or inappropriate disclosure of data. Gaps\nin access control create vulnerabilities in the confidentiality, integrity, and availability of\nMedicare data and systems. Associated gaps in the configuration of systems software that\ncontrol access to systems can make computers vulnerable to unauthorized access.\n\nSix of the six data centers (100 percent) tested for access control had gaps. Examples of these\ngaps included the ability to read files containing personal health information on the mainframe\nsystem, users having unnecessary update access to many system files, and the ability to access\nsensitive data from Internet-facing Web servers.\n\n                                                                               12\n\x0cIdentification and Authentication\n\nFIPS 200 and NIST SP 800-53 require organizations to develop, disseminate, and periodically\nreview or update identification and authentication policies and procedures. Authentication of an\nindividual\xe2\x80\x99s identity is a fundamental component of physical and logical access control\nprocesses. A common threat to an organization\xe2\x80\x99s servers is that sensitive information on the\nserver may be read by unauthorized individuals or changed in an unauthorized manner.\n\nFive of the six data centers (83 percent) tested for identification and authentication controls had\ngaps. Examples included the lack of policies and procedures for identification and authentication\ncontrols, user account passwords that did not comply with CMS policy, and the use of an older\nversion of an authentication protocol.\n\nConfiguration Management\n\nGAO\xe2\x80\x99s FISCAM indicates that without proper configuration management, security features\ncould accidentally or intentionally be turned off. In addition, processing irregularities or\nmalicious code could be introduced that might allow access to sensitive data or remote control of\na system. NIST SP 800-70, \xe2\x80\x9cSecurity Configuration Checklists Program for IT Products,\xe2\x80\x9d\nidentifies the use of security configuration checklists as a way to provide a consistent approach\nto systems security and help protect against common and dangerous local and remote threats.\n\nJANUS identified multiple gaps at four of the six data centers (67 percent) tested in this area.\nExamples with high risk were the use of insecure protocols over the Internet; unnecessary\nservices running on servers, which increase the risk of unauthorized access; and the use of\nunsupported operating systems on the network.\n\nMaintenance\n\nFIPS 200 and NIST SP 800-53 require organizations to develop, disseminate, and periodically\nreview or update system maintenance policies and procedures, provide timely maintenance, and\nmaintain maintenance records for the information system.\n\nSeven of fourteen data centers (50 percent) tested for maintenance controls had gaps. Examples\nincluded the critical security patches not being installed in a timely manner, lack of documented\npolicies and procedures for maintenance controls, and inadequate maintenance logs.\n\nMedia Protection\n\nAccording to GAO\xe2\x80\x99s FISCAM, media containing sensitive information that has not been\nsanitized may be recovered and the information inappropriately used or disclosed by individuals\nwho have access to the discarded or transferred media. The unauthorized access to sensitive\ninformation could result in a serious adverse effect.\n\nSix of the fourteen data centers (43 percent) tested for media protection controls had gaps.\nExamples included the lack of policies and procedures for the storage and labeling of media and\n\n                                                13\n\x0cthe lack of degaussing of expired or re-used media, which could lead to the disclosure of\nsensitive Medicare information.\n\nAwareness and Training\n\nFIPS 200 and NIST SP 800-53 require organizations to develop, disseminate, and periodically\nreview or update security and awareness policies and procedures, provide security and awareness\ntraining before granting access to information systems, and maintain records of information\nsystem security training activities.\n\nFive of fourteen data centers (36 percent) tested for awareness and training controls had gaps.\nExamples included lack of policies for awareness and training, inadequate training in\norganizational policies and procedures, and lack of security training before granting access to\nsensitive information.\n\nCONCLUSION\n\nThe work performed by PwC to evaluate contractor information security programs adequately\nencompassed the eight FISMA requirements referenced in section 1874A of the Act. Gaps\nreported during the PwC program evaluations were supported by documented evidence.\n\nHowever, we could not determine the extent and sufficiency of the JANUS work for the data\ncenter technical assessments because of several issues with its working papers. In many\ninstances, the documentation supplied by JANUS did not provide evidence of the testing\nprocedures performed at the data centers. The documentation JANUS provided did not always\nindicate whether JANUS actually completed each testing procedure, and cross-references to\nsupporting documentation were missing for many of the test procedures. In most cases, we were\nunable to trace gaps presented in JANUS\xe2\x80\x99s final reports to supporting evidence. Because the\ndocumentation provided by JANUS did not reasonably ensure that JANUS completed the work\nCMS engaged it to do, we could not determine whether JANUS reported all medium- or high-\nrisk gaps and adequately supported all gaps that were included in the reports.\n\nRECOMMENDATION\n\nWe recommend that CMS review all contractor documentation related to future data center\ntechnical assessments and ensure that the work performed complies with CMS contractual\nrequirements. At a minimum, this should include a review of test plans to ensure that the\ncontractor has completed all required testing procedures and a review of contractor working\npapers to verify that reported gaps have been adequately supported, identified, and included in\nthe technical assessment reports.\n\nCENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS\n\nIn written comments to our draft report, CMS concurred with our recommendation. CMS also\nstated that it has taken the appropriate actions to address the identified issues. We have included\nCMS\xe2\x80\x99s comments in their entirety in Appendix G.\n\n                                                14\n\x0cAPPENDIXES\n\x0c              APPENDIX A: ASSESSMENT OF SCOPE AND SUFFICIENCY\n                  FOR THE JANUS DATA CENTER ASSESSMENTS\n\n                           Office of Inspector General Criteria for Assessing\n                                        JANUS Working Papers\n                Sufficient Evidence             Sufficient\n                That All Work Was        Documentation for All     Reported All Medium-\nData Center        Performed?               Reported Gaps?          and High-Risk Gaps?\n     1                  Yes                        Yes                      Yes\n     2                   No                        No                   Inconclusive*\n     3                   No                        No                   Inconclusive*\n     4                  Yes                        Yes                      Yes\n     5                   No                        Yes                       Yes\n     6                   No                 No Gaps Reported            Inconclusive*\n     7                   No                        Yes                       Yes\n     8                  Yes                        No                        No\n     9                   No                        No                   Inconclusive*\n    10                   No                        No                        Yes\n    11                   No                        No                   Inconclusive*\n    12                   No                        No                   Inconclusive*\n    13                   No                        No                   Inconclusive*\n    14                   No                        Yes                       Yes\n\n*Because of deficiencies with JANUS working papers, we were unable to determine whether\nJANUS had reported all medium- and high-risk gaps.\n\x0c                            APPENDIX B: LIST OF GAPS BY\n               FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF 2002\n                     CONTROL AREA AND MEDICARE CONTRACTOR\n\n                                            Control Areas (With Impact Levels)\n                            Policies    Security\n                              and       Program\n              Periodic     Procedures      and       Security    Testing                        Continuity\n                Risk       To Reduce    Security Awareness         of     Remedial   Incident      of\nMedicare     Assessments      Risk        Plans     Training Controls      Actions   Response   Operations   Total\nContractor     (High)        (High)      (High)       (High)     (High)   (Medium)    (High)     (High)      Gaps\n    1             0             0           0           0           1          0         0          0          1\n    2             0             0           0           0           0          0         0          0          0\n    3             0             1           1           1           2          0         0          0          5\n    4             0             0           0           0           0          0         0          0          0\n    5             0             0           0           0           0          0         0          0          0\n    6             0             1           1           2           6          0         0          0         10\n    7             0             3           1           2           2          0         0          0          8\n    8             0             2           1           1           3          0         0          0          7\n    9             0             3           0           0           2          0         0          0          5\n   10             0             2           0           0           2          0         0          0          4\n   11             0             0           1           1           3          0         0          0          5\n   12             0             0           0           0           1          0         0          0          1\n   13             0             0           1           0           0          0         0          1          2\n   14             0             1           0           0           1          0         0          1          3\n   15             1             2           1           0           1          0         0          1          6\n   16             1             0           2           1           3          0         0          1          8\n   17             0             1           1           3           2          0         0          0          7\n   18             0             0           0           0           0          0         0          0          0\n   19             0             0           0           0           0          0         0          0          0\n   20             0             1           0           0           2          1         0          0          4\n   21             0             1           1           1           1          0         0          0          4\n   22             0             2           2           1           2          1         1          0          9\n   23             0             0           0           0           2          0         0          0          2\n   24             0             1           0           0           5          0         1          2          9\n   25             0             0           1           1           2          0         0          0          4\n   26             0             1           0           0           0          0         0          1          2\n   27             0             0           0           0           1          0         1          1          3\n   28             0             0           0           0           0          0         0          0          0\n   29             0             0           1           0           0          0         0          0          1\n  Total           2            22          15          14         44           2         3          8        110\n\n     Note: Impact levels for Federal Information Security Management Act of 2002 (FISMA)\n     control areas were derived by PricewaterhouseCoopers by taking the highest value from among\n     the subcategories.\n\x0cAPPENDIX C: PERCENTAGE CHANGE IN GAPS PER MEDICARE CONTRACTOR\nContractor                        FY 2005                           FY 2006          % Change\n     1                               0                                 1              100%\n     2                             N/A                                 0               N/A\n      3                               1                                 5               400\n      4                               0                                 0                 0\n      5                               0                                 0                 0\n      6                               0                                 10              1000\n      7                               0                                 8               800\n      8                              11                                 7               (36)\n      9                               0                                 5               500\n     10                               1                                 4               300\n     11                               1                                 5               400\n     12                               2                                 1               (50)\n     13                               6                                 2               (67)\n     14                               0                                 3               300\n     15                               4                                 6                50\n     16                               1                                 8               700\n     17                               0                                 7               700\n     18                               0                                 0                0\n     19                             N/A                                 0               N/A\n     20                               6                                 4               (33)\n     21                               2                                 4               100\n     22                               2                                 9               350\n     23                               1                                 2               100\n     24                               1                                 9               800\n     25                               7                                 4               (43)\n     26                               5                                 2               (60)\n     27                               8                                 3               (63)\n     28                               1                                 0               (100)\n     29                               3                                 1               (67)\nContractors No\n  Longer in\n  Program                            29                                 -                 -\n   Total                             92                                110              20%\nNote: Contractors listed as \xe2\x80\x9cN/A\xe2\x80\x9d were new Durable Medical Equipment Medicare Administrative\nContractors in FY 2006. FY = fiscal year\n\x0c           APPENDIX D: MEDICARE CONTRACTOR CHANGE IN TOTAL GAPS\n          BY FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF 2002\n                               CONTROL AREA\n\n\n                   50\n                   45\n                   40\n                   35\n                   30\n   Gaps\n\n\n\n\n                                                                                                                               FY2005\n                   25\n                   20                                                                                                          FY2006\n                   15\n                   10\n                    5\n                    0\n\n\n\n\n                                                                                                                           e\n\n\n                                                                                                                          ns\n                                            es\n\n\n\n\n                                                                                        ls\n                                                                           g\n\n\n\n\n                                                                                                      ns\n                                                             s\n                            ts\n\n\n\n\n                                                                                                                ns\n                                                                         in\n\n\n\n                                                                                      ro\n                                                          an\n\n\n\n\n                                                                                                                        io\n                                        ur\n                          en\n\n\n\n\n                                                                                                   io\n                                                                       in\n\n\n\n\n                                                                                                              po\n                                                                                   nt\n\n\n\n\n                                                                                                                     at\n                                                       pl\n                                      ed\n\n\n\n\n                                                                                                 t\n                                                                   tr a\n\n\n\n\n                                                                                              ac\n                           m\n\n\n\n\n                                                                                co\n\n\n\n\n                                                                                                                   er\n                                                                                                           es\n                                                        y\n                                   oc\n                        ss\n\n\n\n\n                                                    rit\n\n\n\n\n                                                                                               l\n\n\n\n\n                                                                                                                 op\n                                                                   s\n\n\n\n\n                                                                                                         tr\n                                                                                            ia\n                                                                               IT\n                                 pr\n\n\n\n\n                                                                es\n                     se\n\n\n\n\n                                                  cu\n\n\n\n\n                                                                                         ed\n\n\n\n                                                                                                       en\n\n\n\n                                                                                                                     of\n                                                                           of\n                                                              en\n                  As\n\n\n\n                                 d\n\n\n                                                se\n\n\n\n\n                                                                                        em\n\n\n\n                                                                                                     cid\n                               an\n\n\n\n\n                                                                                                                 ty\n                                                                         g\n                                                            ar\n               k\n\n\n\n\n                                           s\n\n\n\n\n                                                                       in\n\n\n\n\n                                                                                                                 ui\n                                                                                                   In\n                                                                                      .R\n              s\n\n\n\n\n                                            m\n                            s\n\n\n\n\n                                                        aw\n\n\n\n                                                                     st\n\n\n\n\n                                                                                                               in\n           Ri\n\n\n\n                          ie\n\n\n\n                                         te\n\n\n\n\n                                                                                               I.\n                                                                   Te\n\n\n\n                                                                                    VI\n\n\n\n\n                                                                                                             nt\n                        lic\n\n\n\n\n                                                                                             VI\n                                                       y\n          I.\n\n\n\n\n                                      ys\n\n\n\n\n                                                                                                           Co\n                                                   it\n                      Po\n\n\n\n\n                                                                 V.\n                                                ur\n                                 .S\n\n\n                                              ec\n\n\n\n\n                                                                                                        II.\n                   II.\n\n\n\n                                III\n\n\n\n\n                                                                                                      VI\n                                            .S\n                                          IV\n\n\n\n\n                                                                 FISMA Control Area\n\n\nIT = Information technology\n\x0c                                                                                      Page 1 of 5\n\n\n     APPENDIX E: RESULTS OF MEDICARE CONTRACTOR EVALUATIONS\n     FOR FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF 2002\n         CONTROL AREAS WITH THE GREATEST NUMBER OF GAPS\n\nThe \xe2\x80\x9cimpact level\xe2\x80\x9d shown in Tables 1 through 4 on the following pages refers to the level of\nadverse impact that could result from successful exploitation of a vulnerability in any of the\nFISMA control areas. Impact can be described as high, medium, or low in light of the\norganization\xe2\x80\x99s mission and criticality and the sensitivity of the systems and data involved.\nPricewaterhouseCoopers assigned a rating of high or medium impact to each of the subcategories\nin the agreed-upon procedures developed by the Centers for Medicare & Medicaid Services\n(CMS). It is important to note that the impact levels were assigned to subcategories of the\nFISMA control areas, not the individual gaps identified within the control areas or subcategories.\nIndividual gaps were assigned an overall risk level on a subjective basis by\nPricewaterhouseCoopers after taking into consideration the impact and likelihood of occurrence.\n\x0c                                                                                         Page 2 of 5\n\n\nTESTING OF INFORMATION SECURITY CONTROLS\n\nThe Medicare contractor information security program evaluations assessed five subcategories\nrelated to the testing of information security controls. The evaluation reports identified a total of\n44 gaps in this FISMA control area.\n\n                    Table 1: Testing of Information Security Controls Gaps\n                                                        No. of Total Gaps           Subcategory\n                        Subcategory                       in This Area              Impact Level\n     Management reports exist for the review and\n     testing of information security policies and\n     procedures, including network risk assessments,\n1                                                               7*                       High\n     accreditations and certifications, internal and\n     external audits, security reviews, and penetration\n     and vulnerability assessments.\n     Annual reviews and audits are conducted to\n     ensure compliance with FISMA guidance from\n     the Office of Management and Budget for\n2    reviews of security controls, including logical            5                        High\n     and physical security controls, platform\n     configuration standards, and patch management\n     controls.\n3    Change control management procedures exist.                9*                       High\n     Change control procedures are tested by\n4                                                              21*                       High\n     management to ensure they are in use.\n     Remedial action is being taken for issues noted in\n5                                                               2                      Medium\n     audits.\n      Total                                                     44\n\n*Indicates notable gap increase from FY 2005.\n\x0c                                                                                        Page 3 of 5\n\n\nPOLICIES AND PROCEDURES TO REDUCE RISK\n\nThe Medicare contractor information security program evaluations assessed six subcategories\nrelated to policies and procedures to reduce risk. The evaluation reports identified a total of 22\ngaps in this FISMA control area.\n\n                   Table 2: Policies and Procedures To Reduce Risk Gaps\n                                                        No. of Total Gaps         Subcategory\n                      Subcategory                         in This Area            Impact Level\n    Management activities include security controls\n    in the costs of developing new systems as part\n1   of the system development life cycle.                        0                    High\n    Procedures for software changes include steps\n    to control the changes.\n    Systems security controls have been tested and\n2   evaluated. The system/network boundaries                    7*                    High\n    have been subjected to periodic reviews/audits.\n    Management has performed accreditations and\n    certifications of major systems in accordance\n3                                                                0                    High\n    with FISMA policies, including security\n    controls testing and documentation.\n    Documentation exists that outlines reducing the\n4   risk exposure identified in periodic risk                    0                    High\n    assessments.\n    Gaps in compliance exist based on a\n    comparison of management\xe2\x80\x99s compliance\n5                                                                2                    High\n    checklist and CMS\xe2\x80\x99s core security\n    requirements.\n    Security policies and procedures include\n6   controls to address platform security                       13*                  Medium\n    configurations and patch management.\n      Total                                                     22\n\n*Indicates notable gap increase from FY 2005.\n\x0c                                                                                       Page 4 of 5\n\n\nSECURITY PROGRAM AND SYSTEM SECURITY PLANS\n\nThe Medicare contractor information security program evaluations assessed 11 subcategories\nrelated to security program and system security plans. The evaluation reports identified a total of\n15 gaps in this FISMA control area.\n\n                Table 3: Security Program and System Security Plan Gaps\n                                                   No. of Total\n                                                   Gaps in This    Subcategory\n                         Subcategory                  Area        Impact Level\n         Security policies and procedures are\n         included in the policies and procedures\n       1 for control of the life cycle of systems,      0             High\n         including accreditations and\n         certifications.\n         Owners and users are aware of security\n       2                                                1             High\n         policies.\n         A security plan is documented and\n       3                                                0             High\n         approved.\n       4 The plan is kept current.                      1             High\n         Management ensures that corrective\n       5                                                1             High\n         actions are effectively implemented.\n         Security employees have adequate\n       6                                                5             High\n         security training and expertise.\n         Hiring, transfer, termination, and\n       7                                                0             High\n         performance policies address security.\n         Employee background checks are\n       8                                                2            Medium\n         performed.\n         A security management structure has\n       9                                                0            Medium\n         been established.\n         Information security responsibilities are\n      10                                                0            Medium\n         clearly assigned.\n         Management has documented that it\n         periodically assesses the appropriateness\n      11 of security policies and compliance with       5            Medium\n         them, including testing of security\n         policies and procedures.\n          Total                                         15\n\x0c                                                                                         Page 5 of 5\n\n\nSECURITY AWARENESS TRAINING\n\nThe Medicare contractor information security program evaluations assessed six subcategories\nrelated to security awareness training. The evaluation reports identified a total of 14 gaps in this\nFISMA control area.\n\n                          Table 4: Security Awareness Training Gaps\n                                                     No. of Total\n                                                       Gaps in      Subcategory\n                          Subcategory                 This Area     Impact Level\n          Annual refresher training for security is\n      1                                                   1            High\n          mandatory.\n          Employees have received a copy of or\n      2   have easy access to agency security             0           Medium\n          procedures and policies.\n          Employees have received a copy of the\n      3                                                   3           Medium\n          Rules of Behavior.\n          Systematic methods are used to make\n      4   employees aware of security (e.g., posters      0           Medium\n          or booklets).\n          Security professionals have received\n          specific training for their job\n          responsibilities, and the type and\n      5                                                   6           Medium\n          frequency of application-specific training\n          provided to employees and contractor\n          personnel are documented and tracked.\n          Employee training and professional\n      6   development have been documented and            4           Medium\n          formally monitored.\n            Total                                         14\n\x0c  APPENDIX F: LIST OF GAPS BY NATIONAL INSTITUTE OF STANDARDS AND\n       TECHNOLOGY SECURITY CONTROL AREA AND DATA CENTER\n\n\n\n\n                                                     Data Center\n   NIST Security                                                                            Total\n   Control Area        1   2    3   4   5   6   7       8    9     10   11   12   13   14   Gaps\n   Access Control      5   5    0   0   0   0   9      14    5     0    0    0    4    0     42\n   Configuration\n                       1   1    0   0   0   0   4      11    0     0    0    0    0    0     17\n   Management\n Media Protection      0   2    1   2   0   0   0       2    0     0    0    1    0    1     9\n   Certification,\n Accreditation, and\n                       0   2    0   0   1   0   0       0    0     4    1    0    0    0     8\n     Security\n   Assessments\n  Awareness and\n                       0   1    1   0   2   0   0       1    0     2    0    0    0    0     7\n     Training\n    Maintenance        1   1    1   0   1   0   0       0    1     1    0    1    0    0     7\n  Identification and\n                       1   3    0   0   0   0   0       1    1     0    0    0    1    0     7\n   Authentication\n     System and\n     Information       1   0    0   0   0   0   0       0    5     0    0    0    0    0     6\n       Integrity\n System and Services\n                       0   2    0   0   0   0   0       0    1     1    0    0    0    0     4\n     Acquisition\n Personnel Security    0   1    0   0   0   0   0       1    0     0    0    0    0    0     2\n      Audit and\n                       0   0    0   0   0   0   2       0    0     0    0    0    0    0     2\n    Accountability\n     Physical and\n    Environmental      0   0    0   0   0   0   0       0    0     0    0    0    1    0     1\n      Protection\n     System and\n   Communications      0   1    0   0   0   0   0       0    0     0    0    0    0    0     1\n      Protection\n  Incident Response    0   0    0   0   0   0   0       0    0     1    0    0    0    0     1\n  E-authentication     0   0    0   0   0   0   0       0    0     0    0    0    1    0     1\n\n        Total          9   19   3   2   4   0   15     30   13     9    1    2    7    1    115\n\n\nNote: JANUS reported no gaps in the following NIST security control areas: contingency\nplanning, security planning, and risk assessment.\n\nNIST = National Institute of Standards and Technology\n\x0c                                                                                                                                                Page 1 of2\n\n\nAPPENDIX G: CENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS \n\n\n\n\n    {~"4. \t                         D EPARlMENT OF HEALTH\xc2\xb7& HUMAN SERVICES                                   Centers for Medicare & Medicaid Services\n\n\n     ;ev ...d ;f(l . . . . . .\n                                                                                                             Administrator\n                                                                                                             Washington. DC 20201\n\n\n\n                                                 . [SEP 24 ~\n\n                                 TO: \t         Daniel R. Levinson \n\n                                               Inspector General \n\n\n                                 FROM:     ~e~~tar-\n\n                                               Acting Administrator\' \n\n\n                                 SUBJECT: \t    Office ofInspector General (OIG) Draft Report - Review ofMedicare Contractor\n                                               lnjormaiion Security Program Evaiuations for Fiscal Year 2006,\n                                               (A-I 8-07 -30290)\n\n\n                                 Thank you for the opportunity to review and respond to the report on the Centers for Medicare &\n                                 Medicaid Services (CMS) contractor information security program evaluation. We appreciate\n                                 the efforts the OIG has taken to examine our information systems security program and INSERT\n                                 work with CMS on the various issues identified by the audit. We believe this process furthers\n                                 our efforts to maintain and advance the confidentiality, integrity and availability of all CMS\n                                 programs.\n\n                                 The OIG found that a eMS Security Test and Evaluation (ST&E) contractor did not adequately\n                                 document its testing procedures. The OIG was unable to trace gaps presented in the ST&E\n                                 contractor\'s final reports to supporting evidence. Due to the lack of documentation, the OIG was\n                                 not able to determine whether JANUS reported all risk gaps or adequately supported all gaps that\n                                 were included in the reports.\n\n                                 CMS is in agreement with the 010" finding. CMS has taken appropriate steps to address the\n                                 finding and the associated recommendations. The OIG\'s recommendations and our detailed\n                                 comments and response are below.\n\n                                 OIG Recommendation\n\n                                 We recommend that CMS review all contractor documentation related to future data center\n                                 technical assessments and ensure that the work performed complies with eMS\' contractual\n                                 requirements. At a minimum, this should include a review oftest plans to ensure that the\n                                 contractor has completed all required testing procedures and a review of contractor working\n                                 papers to verify that reported gaps have been adequately supported, identified, and included in\n                                 the technical assessment reports.\n\x0c                                                                                                 Page 2 of2\n\n\n\n\nPage 2 - D~iel R. Levinso l1\n\n\neMS Response:\n\neMS concurs with the OIG\'s recommendation. eMS met with JANUS Associates in fiscal year\n2007/2008 to address and discuss the identified issues. JANUS Associates agreed to adhere to a\nmore thorough and complete documentation of the test plans, test scripts, work paper\nrequirements, processes for verifying gaps, and review of testing requirements. As a result of\nthose meetings, eMS has updated the Statement of Work (SOW) and Security Test & Evaluation\n(ST&E) processes to ensure the completeness of the working papers and adequacy of the work\nperformed in future ST&Es.\n\neMS has taken the appropriate actions to address the identified issues. We look forward to\nworking with the OIG on future audits.\n\x0c'